From 0b0234f48abed0154e5ec9dcb11cd23470246035 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bart=C5=82omiej=20Piotrowski?= <bpiotrowski@mirantis.com>
Date: Sun, 12 Apr 2015 19:59:51 +0200
Subject: [PATCH] keystone: pki-setup should be run regardless of token
 provider

The puppet-keystone module currently will only execute 'keystone-manage pki_setup'
to create the signing key if the PKI token provider is being used. The signing
key/cert is still used for signing the token revocation list, even when the UUID
token provider is being used. We should be running 'keystone-manage pki_setup'
if enable_pki_setup=true, regardless of token provider.

Closes-Bug: 1374349
Upstream commit: I2817fbde74cbd50cae31f681503816e576cc7b60

Change-Id: I293593194a7545aecd3ebd825d108b4b1c20ba29
---
 deployment/puppet/keystone/manifests/init.pp  | 78 ++++++++++++++-----
 .../keystone/spec/classes/keystone_spec.rb    | 51 +++++++++++-
 2 files changed, 109 insertions(+), 20 deletions(-)

diff --git a/deployment/puppet/keystone/manifests/init.pp b/deployment/puppet/keystone/manifests/init.pp
index 94ae3d562e..af0bb42f72 100644
--- a/deployment/puppet/keystone/manifests/init.pp
+++ b/deployment/puppet/keystone/manifests/init.pp
@@ -41,7 +41,6 @@
 #   [enabled] If the keystone services should be enabled. Optional. Default to true.
 #   [sql_connection] Url used to connect to database.
 #   [idle_timeout] Timeout when db connections should be reaped.
-#   [enable_pki_setup] Enable call to pki_setup.
 #   [rabbit_host] Location of rabbitmq installation. Optional. Defaults to localhost.
 #   [rabbit_port] Port for rabbitmq instance. Optional. Defaults to 5672.
 #   [rabbit_hosts] Location of rabbitmq installation. Optional. Defaults to undef.
@@ -67,7 +66,7 @@
 #   If set to boolean false, it will not log to any directory
 #   Defaults to '/var/log/keystone'
 #
-# [*log_file*]
+#   [*log_file*]
 #   (optional) Where to log
 #   Defaults to false
 #
@@ -118,6 +117,28 @@
 #   Tested versions include 0.9 and 2.2
 #   Default to '0.9'
 #
+#   [enable_pki_setup]
+#   Enable call to pki_setup to generate the cert for signing pki tokens and
+#   revocation lists if it doesn't already exist. This generates a cert and key
+#   stored in file locations based on the signing_certfile and signing_keyfile
+#   paramters below. If you are providing your own signing cert, make this false.
+#
+#   [signing_certfile]
+#   Location of the cert file for signing pki tokens and revocation lists.
+#   Optional. Note that if this file already exists (i.e. you are providing your
+#   own signing cert), the file will not be overwritten, even if enable_pki_setup
+#   is set to true.
+#
+#   [signing_ca_certs]
+#   Use this CA certs file along with signing_certfile/signing_keyfile for
+#   signing pki tokens and revocation lists.
+#   Optional. Default: /etc/keystone/ssl/certs/ca.pem
+#
+#   [signing_ca_key]
+#   Use this CA key file along with signing_certfile/signing_keyfile for signing
+#   pki tokens and revocation lists.
+#   Optional. Default: /etc/keystone/ssl/private/cakey.pem
+#
 # == Dependencies
 #  None
 #
@@ -172,6 +193,10 @@ class keystone(
   $sql_connection        = 'sqlite:////var/lib/keystone/keystone.db',
   $idle_timeout          = '200',
   $enable_pki_setup      = true,
+  $signing_certfile      = '/etc/keystone/ssl/certs/signing_cert.pem',
+  $signing_keyfile       = '/etc/keystone/ssl/private/signing_key.pem',
+  $signing_ca_certs      = '/etc/keystone/ssl/certs/ca.pem',
+  $signing_ca_key        = '/etc/keystone/ssl/private/cakey.pem',
   $mysql_module          = '0.9',
   $rabbit_host           = 'localhost',
   $rabbit_hosts          = false,
@@ -345,42 +370,57 @@ class keystone(
     warning('token_format parameter is deprecated. Use token_provider instead.')
   }
 
-  # remove the old format in case of an upgrade
-  keystone_config { 'signing/token_format': ensure => absent }
+  # Set the signing key/cert configuration values.
+  keystone_config {
+    'signing/certfile': value => $signing_certfile;
+    'signing/keyfile':  value => $signing_keyfile;
+    'signing/ca_certs': value => $signing_ca_certs;
+    'signing/ca_key':   value => $signing_ca_key;
+  }
+
+  # Create cache directory used for signing.
+  file { $cache_dir:
+    ensure => directory,
+  }
+
+  # Only do pki_setup if we were asked to do so.  This is needed
+  # regardless of the token provider since token revocation lists
+  # are always signed.
+  if $enable_pki_setup {
+    exec { 'keystone-manage pki_setup':
+      path        => '/usr/bin',
+      user        => 'keystone',
+      refreshonly => true,
+      creates     => $signing_keyfile,
+      notify      => Service['keystone'],
+      subscribe   => Package['keystone'],
+      require     => User['keystone'],
+    }
+  }
 
   if ($token_format == false and $token_provider == 'keystone.token.providers.pki.Provider') or $token_format == 'PKI' {
     keystone_config { 'token/provider': value => 'keystone.token.providers.pki.Provider' }
-    file { $cache_dir:
-      ensure => directory,
-    }
-
-    if $enable_pki_setup {
-      exec { 'keystone-manage pki_setup':
-        path        => '/usr/bin',
-        user        => 'keystone',
-        refreshonly => true,
-        creates     => '/etc/keystone/ssl/private/signing_key.pem',
-        notify      => Service['keystone'],
-        subscribe   => Package['keystone'],
-        require     => User['keystone'],
-      }
-    }
   } elsif $token_format == 'UUID' {
     keystone_config { 'token/provider': value => 'keystone.token.providers.uuid.Provider' }
   } else {
     keystone_config { 'token/provider': value => $token_provider }
   }
 
+  # remove the old format in case of an upgrade
+  keystone_config { 'signing/token_format': ensure => absent }
+
   if $notification_driver {
     keystone_config { 'DEFAULT/notification_driver': value => $notification_driver }
   } else {
     keystone_config { 'DEFAULT/notification_driver': ensure => absent }
   }
+
   if $notification_topics {
     keystone_config { 'DEFAULT/notification_topics': value => $notification_topics }
   } else {
     keystone_config { 'DEFAULT/notification_topics': ensure => absent }
   }
+
   if $control_exchange {
     keystone_config { 'DEFAULT/control_exchange': value => $control_exchange }
   } else {
diff --git a/deployment/puppet/keystone/spec/classes/keystone_spec.rb b/deployment/puppet/keystone/spec/classes/keystone_spec.rb
index ed9beccb48..a0478370ca 100644
--- a/deployment/puppet/keystone/spec/classes/keystone_spec.rb
+++ b/deployment/puppet/keystone/spec/classes/keystone_spec.rb
@@ -179,7 +179,24 @@ describe 'keystone' do
           'token_provider' => 'keystone.token.providers.uuid.Provider'
         }
       end
+      it { should contain_exec('keystone-manage pki_setup').with(
+        :creates => '/etc/keystone/ssl/private/signing_key.pem'
+      ) }
+      it { should contain_file('/var/cache/keystone').with_ensure('directory') }
+
+      describe 'when overriding the cache dir' do
+        before do
+          params.merge!(:cache_dir => '/var/lib/cache/keystone')
+        end
+        it { should contain_file('/var/lib/cache/keystone') }
+      end
+
+      describe 'when disable pki_setup' do
+        before do
+          params.merge!(:enable_pki_setup => false)
+        end
       it { should_not contain_exec('keystone-manage pki_setup') }
+      end
     end
 
     describe 'when configuring as PKI' do
@@ -209,6 +226,38 @@ describe 'keystone' do
       end
     end
 
+    describe 'when configuring PKI signing cert paths with UUID and with pki_setup disabled' do
+      let :params do
+        {
+          'admin_token'       => 'service_token',
+          'token_provider'    => 'keystone.token.providers.uuid.Provider',
+          'enable_pki_setup'  => false,
+          'signing_certfile'  => 'signing_certfile',
+          'signing_keyfile'   => 'signing_keyfile',
+          'signing_ca_certs'  => 'signing_ca_certs',
+          'signing_ca_key'    => 'signing_ca_key'
+        }
+      end
+
+      it { should_not contain_exec('keystone-manage pki_setup') }
+
+      it 'should contain correct PKI certfile config' do
+        should contain_keystone_config('signing/certfile').with_value('signing_certfile')
+      end
+
+      it 'should contain correct PKI keyfile config' do
+        should contain_keystone_config('signing/keyfile').with_value('signing_keyfile')
+      end
+
+      it 'should contain correct PKI ca_certs config' do
+        should contain_keystone_config('signing/ca_certs').with_value('signing_ca_certs')
+      end
+
+      it 'should contain correct PKI ca_key config' do
+        should contain_keystone_config('signing/ca_key').with_value('signing_ca_key')
+      end
+    end
+
     describe 'with invalid catalog_type' do
       let :params do
         { :admin_token  => 'service_token',
@@ -234,7 +283,7 @@ describe 'keystone' do
           'token_format'   => 'UUID'
         }
       end
-      it { should_not contain_exec('keystone-manage pki_setup') }
+      it { should contain_exec('keystone-manage pki_setup') }
     end
 
     describe 'when configuring deprecated token_format as PKI' do